Practice doesnt necessarily make perfect, but it can lead to improvement. Quality practice is key in matters of human security, and the right quantity of practice can also make a significant difference when it comes to shifting mindsets and behavior.

Scientists believe that expert-level performance is primarily the result of expert-level practice, said Wendi Whitmore, IBM Security VP of X-Force Intelligence, Incident Response & Cyber Command. This concept is called deliberate practice.

Deliberate practice has a few defining characteristics, according to Whitmore: It must be intentional, it must be targeted to the individuals skill level, and it must be followed up with immediate feedback.

A science-backed approach to practice can change behavior. It can create more skillful leadership. Organizations that practice deliberately can change individuals, teams and culture for the better. Still, this approach is surprisingly uncommon in the cybersecurity industry. There are a few exceptions, such as the X-Force Command Cyber Tactical Ops Center and simulations in the cyber range.

Human security is what matters during a cybersecurity crisis, where skills and muscle memory can make the difference in make-or-break moments. Leaders and culture are the most important predictors of cyberattack outcomes, so its time to stop under-investing in human security.

Great leadership and security culture dont happen by accident. However, deliberate practice is exactly what Whitmore does best. In her nearly two-decade career in the Air Force Special Forces and industry, shes run 3,000 simulations and built leading global incident-response teams.

Roland Cloutier, SVP and chief security officer (CSO) at ADP, is another leader whos focused on human security. Delivering 40 million individuals paychecks requires a globally embedded culture of security. A recent conversation between Whitmore and Cloutier looked at ADPs approach to building security leadership and culture.

Our focus here at ADP is to make security a component of what everyone does in their jobs, said Cloutier. Hes seen a massive transformation during his decade as ADPs CSO.

Part of ADPs transformation is the result of executive buy-in, as the business climate there supports a security culture. However, Cloutiers revolution is also the result of five universally valuable tools:

One of our primary concepts is inclusive ideation from our people, said Cloutier. We have a new generation of cyber warriors and risk analysts and business people coming up. ADP views tomorrows leaders as a source of security solutions.

The idea of inclusive ideation also extends outside ADPs walls. Our sales force asks how we can protect the client better and what clients want, said Cloutier.

Executive committee engagement is another part of ADPs global security framework. Theres not just executive oversight, said Cloutier. Theres engagement. There are questions, and there are challenges to how were approaching security from the executive committee.

ADP employees have the opportunity to participate and explore security tasks and, ultimately, careers. Associates can join the Safe Pre-Pro Program, which is a global initiative for security awareness. Over 10 percent of ADPs global associates have opted into the program. Program members are assigned active security task loads and responsibilities they perform locally, in their current roles.

Deliberate practice is another focal point. Internal security champions learn hands-on security skills in the X-Force Cyber Ops Command Center. Sometimes, employees learn side-by-side with ADPs attorneys, executives and external stakeholders.

When we train as a culture, we train as a global team. We operate that way in crisis, said Cloutier.

ADPs security practice has adopted some uncommon, effective approaches to communication. For example, their education efforts include blogs and podcasts that talk about security in a way that resonates with their workforce and clients.

In a tight talent climate, Cloutier has had to consider new approaches to hiring and skills.

We look outside of ADP all the way back into the eighth grade with programs like the Womens Society of Cyberjutsu, said Cloutier. We look at post-grad programs and how we can help [students] graduate as new leaders in security.

A 10-year talent pipeline is a rare level of human security investment. Still, its the kind of intervention that benefits everyone. Working with eighth graders creates a stronger, more diverse security leadership pipeline for tomorrow.

ADPs talent-sourcing efforts also extend to individuals with nontraditional technology backgrounds, like global military talent and emerging specializations. We look at unique areas to quickly assimilate [new hires] into our environment and make them productive members of our programs, said Cloutier.

Cloutier has what Whitmore calls a relentless focus on improvement. Hes created a security revolution in the past decade at ADP. The organizations shift is no accident. Instead, its the result of a continued investment in human security.

Security is embedded in ADPs culture. Its who they are in front of customers, and its who they are behind closed doors. Cybersecurity is part of ADPs entire product life cycle. We dont just talk about security issues or vulnerabilities, said Cloutier. We talk about the total quality of product and security measures.

Human security is among the most important investments an organization can make. As Whitmore put it: Every investment helps our people and our organizations to dramatically improve the odds in a cybersecurity event. Deliberate practice leads to expert behavior during incident response, and shifting peoples hearts and minds starts with meaningful experience and education.

Learn more about driving security into the fabric of your business

Originally posted here:
How Human Security Investments Created a Global Culture of Accountability at ADP - Security Intelligence